Bug 1969929 - oc image extract fails due to security capabilities on files
Summary: oc image extract fails due to security capabilities on files
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.6.z
Assignee: Maciej Szulik
QA Contact: zhou ying
URL:
Whiteboard:
: 1970203 (view as bug list)
Depends On: 1969928
Blocks: 1867598 1954587 1995337 1997492
TreeView+ depends on / blocked
 
Reported: 2021-06-09 13:22 UTC by OpenShift BugZilla Robot
Modified: 2021-08-25 11:48 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Insufficient privileges to set extended attributes during untaring. Consequence: oc image extract was failing with operation not permitted error when run as non-root user. Fix: Check user and set extended security attributes only when run as root. Result: oc image extract works correctly for both root and non-root user.
Clone Of:
Environment:
Last Closed: 2021-07-21 18:17:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 877 0 None open [release-4.6] Bug 1969929: exclude security during exctraction 2021-07-07 11:24:52 UTC
Red Hat Product Errata RHBA-2021:2684 0 None None None 2021-07-21 18:17:33 UTC

Description OpenShift BugZilla Robot 2021-06-09 13:22:33 UTC 
+++ This bug was initially created as a clone of Bug #1969928 +++

+++ This bug was initially created as a clone of Bug #1965330 +++

Description of problem:

RHEL images now contain two files with security capabilities that are being set, as described here:
https://projects.engineering.redhat.com/browse/RHELBLD-4379

This results in failures during oc image extract because the extraction process can't set the capability on the extracted file (because the user doesn't have permission to do so):

$ oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743
error: unable to extract layer sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not permitted

RHEL has since reversed this change because of the impact on OCP, but will want to re-assert the change once OCP is patched to tolerate these files/capabilities.  

The fix to oc will need to be backported all the way to at least 4.6 to ensure customers have a working binary to consume.



Version-Release number of selected component (if applicable):
4.8 but expectation is that all versions are affected.

How reproducible:
always (when using an image w/ these files/capabilities set)

Actual results:
permission failure extracting the image

Expected results:
files are extracted successfully


Additional info:
Comment 1 Maciej Szulik 2021-06-10 10:38:44 UTC 
*** Bug 1970203 has been marked as a duplicate of this bug. ***
Comment 4 zhou ying 2021-07-13 02:18:58 UTC 
[root@localhost ~]# oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm
[root@localhost ~]# echo $?
0
[root@localhost ~]# oc version --client 
Client Version: 4.6.0-0.nightly-2021-07-09-014429


Can't reproduce the issue now .
Comment 6 errata-xmlrpc 2021-07-21 18:17:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.39 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2684
Note You need to log in before you can comment on or make changes to this bug.